On January 2, HHS announced that it had entered into a HIPAA breach settlement with the Hospice of North Idaho (HONI) in what it reported as the first such settlement involving a breach of PHI affecting fewer than 500 individuals.  Under the resolution agreement, HONI agreed to pay HHS $50,000 and enter into a corrective action plan requiring HONI to report to HHS any time it determines that a workforce member has failed to comply with its Privacy and Security policies.

The investigation and settlement arose out of a breach notification report submitted by HONI, as required by the HIPAA breach notification rule.  HONI reported the theft of a laptop computer, which contained PHI of 441 patients.  During the subsequent investigation, HHS determined that HONI was not in compliance with two different requirements of the HIPAA security rule: (1) it had not conducted a risk analysis to safeguard ePHI, and (2) it did not have in place policies or procedures to address mobile device security.

HIPAA’s breach notification rules have different requirements for breaches affecting fewer than 500 individuals.  For these smaller breaches, a covered entity need only notify the Secretary on an annual basis and no later than 60 days after the end of the calendar year during which the breach occurred.  However, this settlement should put all covered entities on notice that even small-scale breaches can result in significant liability under HIPAA.

HHS used the announcement of the settlement to remind interested individuals of its new educational initiative on mobile devices, launched by the Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology(ONC).  This new initiative instructs health care providers and other health care professionals on best practices to protect patient information when using mobile devices such as laptops, tablets, and smartphones.  The initiative also includes educational materials that providers can use to spread awareness among their organizations of the importance of securing mobile data.